Third-Party DNS Services
There are many recursive DNS providers out there you can use for domain name resolution on your network, which can be used instead of or in conjunction with your own DNS server (or those of your ISP). Here we’ll review three of the most popular third-party providers: OpenDNS, Google, and Dyn.
OpenDNS is one of the most popular and feature-rich DNS providers, offering free and commercial services with a variety of DNS-based features:
- Web content filtering: You can choose to block content types, including pornography, social networking, video sharing, P2P/file sharing, and many other categories. You can also input specific sites to block, or allow regardless of categories selected.
- Malware and security protection: In addition to blocking web pages containing malware, communication from some viruses and botnets (like Conficker and the Internet Explorer Zero Day Exploit) that might exist on your computers is automatically blocked. Other features provide further DNS protection, such as blocking internal IP address resolutions to protect against DNS Rebinding attacks.
- Phishing site blocking: Phishing sites listed in their Phish Tank database are also automatically blocked, helping to protect your users.
- Custom DNS shortcuts: As an alternative to running your own DNS server you can create shortcuts that point to an Internet or Intranet domain or IP address. For instance, you could create a shortcut to your company’s Intranet site so when users on the network enter “portal” into their web browser it will forward to the IP you specify of your web server.
- Error/Blocked Page Branding: You can brand the common error pages (like 404 Not Found) and the pages shown to users when a site is blocked with your company logo, email contact form, and customized messages.
- Internet activity logs: Basic DNS related stats are logged so you can view number and type of requests and the domains visited and blocked.
- DNS encryption: Currently still in the Beta phase, their DNScrypt service offers fully encrypted connections to their DNS servers, preventing eavesdropping on your DNS traffic and attacks like cache poisoning where hackers redirect domains to malicious sites. However, unlike their other services this would require client software being installed on your end-user computers.
In addition to these features, OpenDNS boasts high reliability with 12 global datacenters, which may provide a more reliable DNS service than what you or your ISP can provide. They also claim to have the largest DNS caches and run the fastest DNS resolvers. They even claim there’s been zero downtime since their inception in 2006. Also keep in mind that the filtering and security is all DNS-based, which doesn’t add any latency like other solutions might.
Their DNS service with basic malware and phishing protection is free to anyone in the world, called Premium DNS. It doesn’t require you to create any account; you simply configure your routers or gateways with their DNS IP addresses and the entire network will be protected. They also offer the free OpenDNS FamilySheild service, targeted towards residential networks but can also be used by businesses, which automatically blocks adult content in addition to the basic malware and phishing protection. It doesn’t require an account either and is available via another set of DNS addresses.
To customize the web content filtering and for the other features (like DNS shortcuts, error/blocked page branding, and activity logs) you must create an OpenDNS account and can then configure your settings for the DNS service. They offer basic functionality of most of their features via a free OpenDNS Home account.
One of the down-sides of using any of the free OpenDNS services is that they display advertisements on the error and blocked pages. The page that appears when users try to visit a non-responsive or non-existent domain they call the Guide and is a search engine with sponsored links and ads. The page displayed when blocking a site doesn’t have the search engine but serves traditional advertisements.
OpenDNS Enterprise offers enhancements to most of the features. For instance, it increases the amount of domains you can white or black list and adds a whitelist-only option that you can use to block all sites except those you specify. It also provides more detailed stats and logs and enables you to create bypass codes to grant users limited-time access to blocked content or sites.
Dyn Internet Guide
Dyn offers similar DNS service to that of OpenDNS, called the Internet Guide. They provide free and commercial options, both offering web content filtering with malware and security protection. However, before you can enable web content filtering you must purchase or sign-up for a free trial of their dynamic DNS service, which is in addition to the Internet Guide subscription. If you have only one location you can cancel the dynamic DNS service before the trial expires and keep one hostname for free, but it must be updated every 30 days, which may be an issue if you have a static Internet IP or your dynamic IP doesn’t change often enough.
The free Internet Guide service lets you protect only one location and limits you to 30 white-list and 30 black-list domains, but it lets you choose between all the filtering categories. Similar to the dynamic DNS service, you must maintain account activity to keep the free service; login to your Internet Guide account at least once every 30 days. The paid Internet Guide subscriptions offer more domains you can white or black list and better support.
Like OpenDNS, Internet Guide redirects users when a website isn’t loading to what they call their landing page, letting them know about the error and displaying search results. However unlike OpenDNS, you can optionally disable this redirection so users see the native browser error page. Users will always see the Internet Guide blocked page when they visit a site you’ve blocked, but this page doesn’t feature search results or advertisements.
Google Public DNS
Google offers a free global DNS service called Google Public DNS. Though only basic DNS service is offered, they do make similar claims to OpenDNS in regards in to better DNS security and faster DNS service than most other providers like your ISP. Unlike OpenDNS, Google doesn’t offer any commercial options. The service is free and doesn’t even serve ADs or redirect you to their pages for errors like non-existent or non-responsive domains.
We reviewed three of the most popular recursive DNS providers that can provide the domain name resolution for your network. OpenDNS provides the most DNS-based features and functionality. The Dyn Internet Guide provides content filtering and security similar to OpenDNS, but doesn’t include the other features like error/block page branding, activity logs, DNS shortcuts, or DNS encryption. And Google Public DNS provides simple but reliable basic DNS service.